CVE-2023-26258 Scanner

Arcserve UDP is a comprehensive data protection solution utilized by businesses worldwide to safeguard their critical data. It is designed to back up, replicate, and recover data across different environments, including physical and virtual infrastructures. Organizations use this solution to ensure business continuity and minimize data loss during disasters. Admins and IT professionals rely on its robust features to manage data protection across global networks. Arcserve UDP is known for its scalability and flexibility, allowing it to adapt to the varying needs of small enterprises and large corporations alike. The software supports seamless integration with various platforms, thereby ensuring that diverse data and applications are consistently protected.

The vulnerability detected in Arcserve UDP involves an authentication bypass, which could potentially allow unauthorized access. This particular issue arises from the endpoint /WebServiceImpl/services/FlashServiceImpl leaking an authentication token. The leaked token can then be employed at /WebServiceImpl/services/VirtualStandbyServiceImpl to acquire a session with administrative privileges. Such unauthorized access could enable attackers to execute any task as an administrator. This flaw is critical as it undermines the security model of the application by bypassing authentication controls. It poses a significant risk of unauthorized data manipulation and system compromise.

The authentication bypass vulnerability exploits a flaw in the way Arcserve UDP handles session tokens. Specifically, the getVersionInfo method at the endpoint /WebServiceImpl/services/FlashServiceImpl exposes the AuthUUID token. This token is intended for internal validation but can be exploited by malicious actors when improperly handled. After obtaining this token, attackers can use it in subsequent requests to the endpoint /WebServiceImpl/services/VirtualStandbyServiceImpl. This process grants them a valid session, potentially allowing for full administrative actions. The ability to bypass standard security measures with this token highlights a severe lapse in access control mechanisms within the affected versions.

Exploiting the authentication bypass vulnerability could have severe consequences for affected systems. Attackers gaining unauthorized access can perform actions as though they were legitimate administrators, leading to unauthorized data access, manipulation, or deletion. The system's integrity and availability can be severely compromised, leading to potential data loss or corruption. Furthermore, malicious entities might deploy additional exploits or malware within the compromised environment. The disruption of critical backup functionalities and unauthorized configuration changes could pose significant risks to organizations relying on Arcserve UDP for data protection.

REFERENCES

• https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
• https://nvd.nist.gov/vuln/detail/CVE-2023-26258